DE102011003920A1 - Mobile radio operated electronic access system - Google Patents

Abstract

The invention relates to a mobile radio device (10) for use in an electronic access system for communication with a central server (S) for processing at least one access authorization for an application (A) that runs on the server (S). For this purpose, an optical identification signal, in the form of a bar code or a photograph of the user on the mobile radio device (10) in the form of an identification code (I) is recorded and sent to the server (S) together with the mobile phone number (G) for further processing. The access authorization of the user for the respective application (A) can thus be checked on the central server (S). The invention relates in particular to medical and health-related applications (A)

Description

FIELD OF THE INVENTION

The present invention relates to the fields of mobile radio technology and information technology and relates to a mobile radio device for processing a user-specific and application-specific access authorization for an application, a mobile radio-operated electronic access system, a server, and methods for processing at least one application-specific access authorization for various applications.

The present invention thus relates to computer networks and the exchange of data with mobile devices that support different applications requiring access authorization of the respective user, such as e-commerce or healthcare systems.

BACKGROUND OF THE INVENTION - PRIOR ART

Modern information technology systems in the health sector are usually computer-based and rely on the use of smart cards or IC cards, for example, as an insurance card. However, since the insurance is not the only application of the user, today the user carries a variety of such cards for a variety of applications, such as e-commerce applications or financial applications or the like. The information technology background of such systems is generally based on the fact that the respective user can identify himself with the card for the respective application, whereby the card is used as a kind of "token" for user identification.

Especially in the health sector and its applications exist a variety of applications in which each medical records must be managed and assigned to each other, eg. As chronic diseases, examination reports, laboratory findings, medical procedures and measures, diagnostic image findings, medication data, etc.

Especially in the medical field is a special feature that life-threatening emergencies can occur, which require immediate action. In practice it turns out that patients in such emergency situations often just do not have the appropriate card with the access permissions available or can not "operate", resulting in time delays.

OBJECT OF THE INVENTION

The present invention has therefore set itself the task of providing an information technology system that allows a central but mobile operation of a user for different applications, each requiring an access authorization by the user. In addition, emergency medical situations that require user authorization should be executable if the user does not carry his or her authorization card or can not use it.

In addition, the data exchange between a plurality of clients (usually the patient) and at least one central server on which the respective application or a plurality of applications is to be made safer.

GENERAL DESCRIPTION OF THE INVENTION

The above object is achieved by the accompanying independent claims, in particular by a mobile radio device, a mobile radio-operated electronic access system, by a central server, by a method for processing an access authorization, as well as the client-side part of the method and the server-side part of the method mentioned above and by a computer program product.

An essential aspect of the present invention is to provide a scheme for operating a communication network (eg mobile radio), as well as an information technology platform based on a client-server solution, with which the known in the prior art chip Cards can be replaced as identification means by an electronic record. The invention proposes to use the mobile device of each user. The mobile device is also used to generate two identifying records: On the one hand, an electronic record (identification code) is generated, which uniquely identifies the user of the mobile device and on the other hand, an electronic record (device identifier) is generated, the one-to-one mobile device identified. The application can then - as a receiver - an identification message (sent by the mobile user) on the basis of identifying the sender record an access authorization of the sender to check the application. In a preferred embodiment of the invention serve as a user-identifying code an image of the user and the mobile number as a device identifier. In alternative embodiments, the Identification code can also be provided as an acoustic code or as an identification code in another format. Likewise, another identifier can be used as an alternative to the mobile number.

• – Einem Generator, der zum Generieren eines maschinenlesbaren Identifikationscodes bestimmt ist, der seinerseits einen Benutzer des Mobilfunkgerätes eineindeutig identifiziert;
• – Einem Einlesemodul, das zum Einlesen des maschinenlesbaren Identifikationscodes bestimmt ist und
• – einem Sendemodul, das den maschinenlesbaren Identifikationscode zusammen mit einem Geräteidentifikator in einer Identifikationsnachricht an den zentralen Server versendet, der seinerseits dazu bestimmt ist, aus der empfangenen Identifikationsnachricht zumindest eine applikationsspezifische und benutzerspezifische Zugangsberechtigung zu extrahieren.

One aspect of the invention thus relates to a mobile radio device for use in an electronic access system for communication with a central server for processing at least one user-specific and application-specific access authorization for at least one application, comprising:

• A generator intended to generate a machine-readable identification code which in turn uniquely identifies a user of the mobile device;
• A read-in module intended for reading in the machine-readable identification code, and
• - A transmission module that sends the machine-readable identification code together with a device identifier in an identification message to the central server, which in turn is intended to extract from the received identification message at least one application-specific and user-specific access authorization.

The terms used in the context of this invention are explained below.

In the preferred embodiment, the mobile device is a commercially available mobile phone to which an access authorization module, for example as a software application, is loaded. Alternatively, the mobile phone can be equipped via a specific access module, which is designed as a hardware module. In addition to being a mobile phone, other portable electronic devices may be used, such as PDA's (Personal Digital Assistant), laptops, portable computers or other electronic devices with corresponding interfaces. In the preferred embodiment, these devices or the deployed mobile device include an integrated camera to capture image data. Alternatively, it is also possible that the mobile device is designed with an interface to exchange data with an image capture device (for example, a digital camera) and to read them. The mobile device is in data exchange with at least one central server. The data exchange preferably takes place via the mobile radio network. Alternatively, other communication protocols can also be used here. All of the variants of the invention mentioned below can in principle be related to other communication terminals, even if they are only described in connection with a mobile radio device.

The electronic access system comprises a central server. Depending on the type of application, of course, several servers can be used here to manage the respective applications. The applications are all characterized by the fact that they can only be operated and controlled with a user-specific and application-specific access authorization. Particularly in the health sector, it is a mandatory requirement that, for example, patient data can only be viewed by an authorized person (as a rule, the patient himself and the attending physician). For this purpose, the respective users (patient and / or doctor) in the prior art carry a specific token with them, which in most applications will be in the form of a chip card. The chip card carries one or more data records in order to uniquely identify the respective user. According to a preferred embodiment, the server is designed to execute the respective application (or the plurality of applications). In other words, the respective applications run on the server and only the input data records and / or the output data records are transmitted to the respective client (ie to the mobile radio device). An example of such an application is the administration of insurance data for a patient. Depending on the application, for example, the patient's insurance data records can be sent to the application in order to record a medical examination with the respective insurance data. Likewise, new insurance conditions may lead to insurance data being transferred from the application to the client. In the latter case, the data is stored on the chip of the memory card to be retrievable for later applications. It is also possible that the application is distributed and partially executable on the central server and partly on the client of the mobile device.

It is also obvious that the application, the central server and / or the mobile device interact with other electronic or computer-based instances or modules to transmit access authorization data.

The machine-readable identification code is preferably generated directly on the mobile device itself. The identification code is characterized by the fact that it uniquely identifies the user (here: user of the mobile device). The identification code is machine or computer readable and includes at least one of the following records: user name, date of birth of the user, place of birth, e-mail address, or other records that uniquely identify the user and are invariant except for the optional additions of variable shares, such as: , B. a timestamp. Preferably, a software module is loaded on the mobile device, which is designed, inter alia, to generate this identification code, read in and quickly, reliably and safely assign it to another record. Accordingly, the read-in module is designed as part of the generator. Alternatively, the identification code not on the phone, but z. B. generated by the mobile network or communication network operators. Then the read-in module is used to read in the remotely generated identification code. The further data record is a device identifier.

The device identifier is also a machine or computer readable code that serves to uniquely identify the user. Preferably, the device identifier is formed by the mobile number of the respective mobile device. The device identifier thus uniquely identifies the user (client) of the mobile or network device (usually via its SIM card). If several users communicate with or use the same mobile number, further additions are added to the device identifier to distinguish all users of those numbers.

It is also possible to use several mobile numbers as device identifiers, each mobile number uniquely identifying one user each. In an alternative embodiment, alternatively or cumulatively to the mobile number, the device number of the mobile device manufacturer can still be used if it uniquely identifies the respective mobile device. Preferably, the device identifier can be generated directly from the mobile device itself, without further user interaction or data exchange with other instances are necessary.

The identification message is a digital signal that is also generated on the mobile device. The identification message is usually a combination of the machine-readable identification code and the machine-readable device identifier. In alternative embodiments, the identification message comprises further elements, such as a time stamp, in order to be able to temporally resolve the identification message at a later time. Preferably, the identification message is created in machine-readable form on the mobile device automatically and without further user interaction. In alternative embodiments, the identification message can be supplied to further security measures, for example, the identification message as such or parts thereof are subjected to encryption, so that they are transmitted only in encrypted form to the server, this then - knowing the necessary encryption information - again decrypted.

An important aspect of the present invention is that an optical code is used as the identification code to identify the mobile radio user. It uses the image data that uniquely identifies the user. These include a recording of the user or any other optical code that has been assigned to the mobile user in a preparatory phase. For example, this can be a barcode. With a camera assigned to the mobile device, the optical code used in each case is recorded in a subsequent step (recording of an imaged barcode or recording of the mobile user or a combination of both). According to the invention, a module is implemented on the mobile radio device, which generates a digital signal from the detected optical signal (s). By way of example, this may be an optical recognition measure such as, for example, an optical character recognition method known in the art (OCR method for short) or the like. In other words, it is thus provided according to the invention to transform an optical, analog signal (the captured image) into a digital signal (the identification code). Preferably, it is provided that the digital identification code is transmitted from the mobile device to the central server in order to be resolved there. As already mentioned above, of course, further security measures can be applied here, so that the identification code is not transmitted directly, but only an encrypted image of the same to the central server. Likewise, it is possible to transmit the identification code via a plurality of intermediate points and thus only indirectly to the central server, if, for example, further applications and measures have to be executed on the identification code.

Preferably, the identification code is detected with an optical detection device, which is associated with the mobile device. This is usually a camera, for example a CCD camera (comprising charge-coupled-device sensors). Of course, it is also possible to capture the identification code with another electronic device and transmit it via an interface to the mobile device, in order to then forward this to the transmission module for common transmission with the device identifier. Alternatively, the identification code can also be read in by another application or another computer-based instance and transmitted via an interface to be sent to the mobile device.

As already mentioned above, the mobile device comprises at least one generator or a read-in module and a transmission module. These are preferably software applications and / or hardware modules.

• – In einem Push-Modus und
• – in einem Pull-Modus.

The transmitter module can be operated in two different operating modes:

• - In a push mode and
• - in a pull mode.

The push mode is characterized in that in a predefinable event on the part of the mobile device (for example: switching on the mobile device, newly generated or changed identification code and / or device identifier, etc.) automatically sending the identification message is triggered to the central server. The pull mode is characterized in that the sending of the identification message is triggered by an event of the server. In particular, the sending of the identification message is initiated when the server or an application running on it requests identification data. In both variants, it may be provided to detect a verification signal which is necessary in order to send the identification message. The verification signal usually requires a confirmation of the mobile user. With this aspect, the security of the system can be increased because only then identifying data from the mobile device to the central server or to other instances are sent when the mobile user confirms its transmission. In a preferred embodiment, it is provided that the optical identification code is transmitted as a multimodal message, in particular using the multimedia messaging service (as MMS). In alternative embodiments, however, other data formats and transmission protocols are applicable here.

A significant advantage of the solution according to the invention is the fact that in the communication with the mobile device anyway, the mobile device identifying code (usually the mobile number) is transmitted. This data record is used to generate the identification message or to extract the identification code from the identification message on the server side.

This has the advantage that no or only minor additional information technology measures or extensions to the mobile devices are necessary. In addition, no significant further user interactions are necessary, so that the process for processing the access permissions can be carried out largely automatically. For medical use, it proves to be advantageous, in particular, that the coding identifying the respective patient (the identification code) can also be read in even if the mobile phone user is unable to automatically enter his identification code due to a medical condition or illness. Another advantage is also to be seen in the fact that the nature of the respective applications are not limited to the medical sector, but for example, are also generally applicable in other domains, such as insurance, financial or e-commerce with applications in which A user must also have application-specific authorization (which has hitherto always been carried out via the use of an IC card and the reading of the respective data records on the IC chip). Thus, an advantage is also to be seen in the fact that the nature and content of the respective application are fundamentally independent of the solution according to the invention. Accordingly, the applications can also be extended. Thus, for example, it is also possible for the server after receiving the identification message and the extraction of the identification code to receive further data records from the client (ie from the mobile radio device) and process them on the server.

Which parameters are taken into account for determining the identification code can be defined in advance. For example, it is possible to include only the username and date of birth here. However, it is also possible to use even more of the above-mentioned data sets. A change of configuration parameters, such as the definition of the identification code, is also possible during operation. For example, the user's e-mail address or other identifying records, such as bank account details, may be taken into account.

In a preferred embodiment, the generator, the read-in module and the transmission module are integrated in a module in the mobile device. Alternatively, these can also be implemented as separate modules in the mobile device. Thus, these are independently changeable. This is usually done in the form of applets.

A further solution to the above-mentioned object is a mobile radio-operated (or network-device-operated) electronic access system for processing at least one access authorization for at least one application. The access system comprises a multiplicity of mobile radio devices (or network devices) and at least one central server, with which the mobile radio devices are exchanged (preferably via the mobile network). In this case, a mobile device is assigned to each user, so that therefore the user can be uniquely identified via the mobile device. In addition, the mobile device is identifiable via a machine-readable device identifier. Preferably, the mobile number is used here. Alternative embodiments provide other identification options for the mobile device (eg manufacturer's advice or an ID code assigned in a preparation phase). In the preferred embodiment, the access authorization is both application-specific and user-specific. This means that a particular user requires a separate and separate access authorization for a specific application. Thus, the cards previously used in the prior art for operating the respective applications (for example, a card for operating an insurance application and another card for operating a medical application) can be replaced with the inventive solution by using a single mobile device with the additional functionality according to the invention ,

As already mentioned, the access system according to the invention is characterized, inter alia, by the fact that a machine-readable identification code is generated or read on the mobile device and then together with the device identifier, which is also machine-readable, in an identification message to the central server via the mobile network and with the terminal address the application (eg mobile phone number or e-mail address) is sent. The server can then extract at least one application-specific access authorization from the received identification message and thus control or operate the application. The user only interacts with his mobile device via the intended user interface. An interaction of the mobile user with the central server is not provided and not necessary.

The invention now makes it possible to unambiguously identify the mobile user on the server side and to store this data in a database or make it available to other entities.

A further solution to the above object is a method for processing an access authorization according to the appended claim. The generating, reading in and sending are performed on the mobile device, while the receiving and extracting are performed on the central server.

A solution to the above object thus also exists in a client-side method, which is executed on the mobile device and intended for interaction with the central server, and in a server-side method for operating a server, which is designed to interact with the mobile device is.

An alternative task solution is a computer program product according to the appended patent claim. The computer program can also be stored on a data medium or a storage medium. It is also possible to provide the computer program as a distributed system, so that individual modules are executed in the mobile device and other modules come on the central server to run.

An alternative solution of the problem is thus in a computer-implemented method according to the appended method claims, which can also be distributed in the form of a program stored on a storage medium.

Further solutions to the problem and alternative embodiments can be found in the accompanying claims.

In the following detailed description of the figures, non-limiting exemplary embodiments with their features and further advantages will be described with reference to the drawing. In this show:

1 A schematic representation of electronic devices that interact according to an advantageous embodiment of the invention and

2 a schematic representation of a mobile radio operated electronic access system according to a preferred embodiment of the invention and

3 a schematic representation of a data exchange between a mobile device and a central server according to a preferred embodiment of the invention.

In the following the invention will be explained in more detail with reference to different embodiments in conjunction with the figures.

1 shows a schematic, overview-like representation of a mobile device 10 which is in communication with at least one central server S via a mobile radio network (referred to uniformly in the figures as "network"). In the mobile device 10 they may be commercially available cell phones or smartphones that have different memories (RAM, ROM), an operating system OS, a clock CLOCK, a processing unit CPU and, as a rule, several interfaces SS include. The interfaces SS include a graphical user interface, usually in the form of a touch screen.

The mobile device 10 includes a module 100 , in which further modules are integrated. In the module 100 It is an access module intended for the calculation and processing of access data.

The server S is a computer-based entity that may consist of a computer or a computer network or a cloud computing system that interacts with other computer-based entities, such as a database DB. According to the invention, the server S comprises at least one application A, which in turn comprises a plurality of modules.

According to the invention, it is provided as a mobile device 10 a common, commercially available mobile device 10 to which an additional software or hardware applet is loaded or implemented. The applet can be in the form of a single module 100 be provided or it may be modular and individual separate modules 101 . 102 and 103 etc., on the mobile device 10 are implemented.

2 shows in an overview-like representation in a schematic manner that in the access system according to the invention usually a plurality of mobile devices 10 ₁ , 10 ₂ , 10 ₃ , 10 ₄ ... with each other via a mobile network in the data exchange with a plurality of servers S. In an alternative embodiment, it is also possible to provide only one central server S. Different applications A ₁ , A ₂ , A _3, etc., which are intended for processing and calculating access data, can be implemented on the server S. The assignment between application and server is not limited. So it is also possible that only one application runs on a server or that several applications (for one application) are distributed on several servers. For example, an image reading application for reading patient-specific image examination data, a past-processing application for reprocessing an image data set, an access application for authenticating the user, etc.

As in 2 indicated, the different servers S may each be formed with the same applications Ai or with different applications A. The servers S are in data exchange via a network. The network is usually a computer network that can operate on different protocols.

Usually, a mobile device 10 operated by exactly one user or user. This is in 2 with the association between the user shown schematically and the respective mobile device 10 indicated. Alternatively, n: m mappings may exist.

According to a preferred embodiment, the server S with the applications A ₁ , A ₂ , A ₃ ... assigned to the mobile operator. This allows a data exchange between the individual mobile devices 10 and the respective applications A are provided on the server S. In an alternative embodiment, the server S with the applications A is not part of the mobile operator data center, but provided as a separate server S. In this case, the mobile network operator establishes an interface to the server S, which ensures the data exchange. Accordingly, a server S, which is provided as a separate instance, indirectly via the interposition of computer-based instances of the mobile network operator with the mobile devices 10 interact with the system.

According to one aspect, the invention relates to the fact that a user who has several chip cards for different applications or applications A now only has a common and largely automated access authorization using his mobile radio device 10 the different applications A can operate or control without having to operate the individual chip cards, as it was previously required in the prior art. In particular, the use of two different codings (first: In relation to the mobile device 10 and secondly, with regard to the user / user), an application-specific and user-specific checking of the access authorization may be possible.

This inventive approach will be described in the following with reference to embodiments in connection with 3 explained in more detail.

According to the invention, it is thus provided that the mobile device 10 with an additional applet 100 is extended. Likewise, the central server S is extended with an additional application A. In an alternative embodiment of the invention, the application A is provided anyway and is only extended by further modules.

Preferably, the mobile device 10 through a generator 101 extended, which is intended to generate a machine-readable identification code I. In this case, the identification code I uniquely identifies the respective mobile radio user.

In an alternative embodiment is a read-in module 102 provided, also on the mobile device 10 is implemented and that is intended for reading the identification code I, which has been generated on another instance.

Furthermore, a transmission module 102 on the mobile device 10 provided. The transmission module 102 serves for creating an identification message N. The identification message N preferably comprises the machine-readable identification code I and a device identifier G. The device identifier G identifies the respective mobile radio device 10 in an unambiguous way. According to a preferred embodiment, the identification code I is a data record that uniquely identifies the user. In this case, a combination of person-specific or person-specific data sets is used, such as the user name, the user birthday, the location, the e-mail address, an image of the user, etc. Preferably, an image of the user is used here. The image of the user is using the mobile device 10 recorded with an integrated camera and transmitted in digitized form together with the device identifier G as an identification message N to the server S. In the device identifier G is preferably the mobile number of the mobile device 10 used. As in the communication of the mobile device 10 Anyway, the mobile number G is used, the addition of the device identifier G in the form of mobile phone number is given anyway and is carried out, so to speak, automatically without changing the existing system. In alternative embodiments, the identification message N may include further data records, such as timestamps and the like. The identification message N is transmitted to the server S via the mobile radio network.

The server S comprises several applications A. These are software and / or hardware modules. The server S comprises in particular a receiving module S1, which is intended to receive the identification message N. In addition, it comprises an extractor S2 which is designed to extract the identification code I from the received identification message N. In addition, the server S comprises a linker S3 which is intended to electronically link / link the identification code I with the device identifier G in order to operate and / or control the respective application A. In this case, the application A may be in data exchange with a database DB, which in 3 is also shown.

As in 3 shown are the generator 101 , the read-in module 102 and the transmitter module 102 on the mobile device 10 implemented or assigned to this. In contrast, the receiving module S1, the extractor S2 and the linker S3 are assigned to the respective application A and implemented on the server S.

Out 3 The typical course of a method for processing access authorizations can also be explained.

First, the mobile radio device side, the identification code I by means of the generator 101 generated by the user of the mobile device 10 uniquely identified.

In a second step, the generated identification code I in the mobile device 10 through the reading module 102 read.

In a third step, an identification message N is generated, which comprises the read-in identification code I and the device identifier G. This is done by the transmit module 102 executed. Alternatively, this function can also be done on the read-in module 102 be executed, then the result to the transmission module 103 forwards. In a next, fourth step sends the transmitter module 102 the thus generated identification message N via the mobile network to the central server S.

The receiving module S1 of the server S receives the identification message N and forwards it to the extractor S2 automatically. The extractor S2 extracts from the received identification message N the identification code I, which is the user of the mobile device 10 identified. This makes it possible for the server S to find out from which person the respective message has been sent and to provide this information to the application A and / or further computer-based instances and modules. The linker S3 now serves to electronically link the identification code I with the device identifier G from the received identification message N in order to operate and / or control the application A.

According to one aspect of the invention, it is provided that when sending the identification message N by the mobile device 10 the destination application A is determined, which is to be activated. Preferably, it is provided that each of the different applications A has its own mobile phone number (or in the case of another communication network: its own terminal address), so that the user of the mobile device 10 can determine the recipient of the identification message N by dialing the respective number. The mobile device calls it so to speak, the application. The telephone numbers can be stored in a SIM card phonebook. This will be explained in more detail in the following example.

A user is in possession of a chip card for a first application "e-commerce" and also in possession of a second chip card for a second application "health insurance card". If the user wanted to make an Internet trade in the prior art and then had to attend a doctor's visit, which required the transmission of his health insurance data, it was previously necessary that the user brought his first e-commerce smart card and then his second health insurance chip card used Has. With the solution according to the invention, this is no longer necessary, but now the user only has to use one device, namely his mobile device 10 work. For the first application he sends the picture identifying him, which he uses with the camera of his mobile device 10 records (or has already taken and retrieves from memory), indicating his mobile phone number (which is used as a device identifier G) to the e-commerce application A. The e-commerce application A can then verify the identity of the user and can Trigger data exchange for the intended purchase. Following this or also in parallel, the user can send the picture identifying him (which in turn is used as identification code I) to another mobile phone number, again passing on his mobile phone number, which is also used as device identifier G. The second number addresses the second application, namely the health insurance application. Therefore, if the user is asked for his health insurance data on the occasion of his medical consultation, it is no longer necessary for him to issue his health insurance card, but he only has to send the image identifying him to the health insurance application A, which then receives the necessary data for Checking the access authorization analyzed. In an alternative embodiment of the invention, a data exchange between the applications can be provided so that the identification data are sent automatically and directly from the first to the second or a further application, without the user having to send his ID data again for this purpose. Optionally, a confirmation signal from the user can be requested to increase security when sending his ID data to another application.

An advantage is thus also to be seen in the fact that the user can operate quasi-parallel multiple applications A, all of which require one (each different) access authorization.

As in 3 illustrated and mentioned above, it is possible according to an alternative embodiment, the sending of the identification message N and / or the sending of application-specific data A from the server S to the mobile device 10 be dependent on an acknowledgment signal and / or a verification signal V by the user. As in 3 It can also be seen that the further processing on the server S by the application A is made dependent on the reception of the verification signal V. In this case, so it is waiting for the mobile device 10 sends a verification signal V to the server S. This allows the user of the mobile device 10 make the further processing of access data on the server S dependent on the input of its acknowledgment signal. Overall, the security of the system can be increased by ensuring that identifying messages or records only between mobile device 10 and server S or application A are transmitted, if the user confirms this.

As mentioned above, in the preferred embodiments, the invention relates to the use of an optical identification code. There are two advantageous embodiments: On the one hand the use of an image or a camera shot of each user and on the other hand, the use of a barcode that identifies the respective user in an unambiguous manner and in a further step by the camera of the mobile device 10 is photographed and thus digitized can be forwarded.

The photograph of the user can currently be captured with the camera or it can be stored in saved form. The advantage of this solution is that the user does not have to carry any additional identification features. In the case of using the barcode, it is only necessary to carry the barcode in a selectable form. For example, the barcode can be printed on a paper or it can already be stored in the mobile device 10 to be provided. The optical representation of the barcode is then photographed and thus digitized and can thus be forwarded to the other instances.

In both variants, the optical identification code I (barcode or image of the user) is photographed and sent in digital form, preferably in an MMS to the server S for operating the applications A.

In summary, the invention can be described in abbreviated form as follows: Photographic data acquisition of an optical identification code, in the form of an image of the user or in the form of a bar code, is performed on the mobile radio device 10 recorded and used to identify the user. This optical identification code I is together with the mobile number G of the mobile device 10 sent as MMS to an application A, which runs on a central server S and, after receiving the identification message N, is able to identify the sender of the identification message N (namely the user) and assign corresponding data records in order to operate the application A. , Using an optical identification signal (photographic recording of a barcode or the user) and the mobile number of the user, the user can identify the user for the respective application A on the server side.

Finally, it is pointed out that the different exemplary embodiments mentioned in the above description can also be used in combination. In addition, it is possible to use parts of the method for processing an access authorization on the mobile device 10 and other parts of the method on the server S, so to speak as a distributed system or according to a client-server principle, in which a plurality of mobile clients 10 interact with a central server S, which in turn may include a variety of applications A. The main field of application of the invention is in the field of medical technology and healthcare. However, the access authorization principle proposed here can also be transferred to other technical areas, which also require access authorization on the part of the user. In addition, a cumulative application in different areas is possible (e-commerce, financial sector, health care, etc.), where the user is only his mobile device 10 and must carry with it the identifying optical identification code.

Claims (14)

Mobile device ( 10 ) for use in an electronic access system and for communication with a central server (S) for processing at least one user-specific and application-specific access authorization for at least one application (A), comprising: - a generator ( 101 ) intended for generating a machine-readable identification code (I) that informs a user of the mobile radio device ( 10 ) - a read-in module ( 102 ), which is intended for reading the machine-readable identification code (I) - a transmission module ( 103 ), which sends the machine-readable identification code (I) together with a device identifier (G) in an identification message (N) to the server (S), which can extract at least one application-specific access authorization from the identification message (N). Mobile device ( 10 ) according to claim 1, wherein the identification code (I) is an optical code and is transmitted as a bar code and / or as an image. Mobile device ( 10 ) according to one of the preceding claims, in which the identification code (I) is provided with an optical detection device which is connected to the mobile radio device ( 10 ) or is integrated in it, is generated or is read in via a data interface. Mobile device ( 10 ) according to one of the preceding claims, in which the identification message (N), optionally in response to a verification signal (V), is transmitted in a packet and optionally includes a time stamp. Mobile device ( 10 ) according to one of the preceding claims, in which the identification message (N) is transmitted as a multimodal message, in particular using the multimedia messaging service. Mobile device ( 10 ) according to one of the preceding claims, in which the device identifier (G) is automatically transmitted from the mobile radio device ( 10 ) is generated and in particular the mobile number of the device and automatically the identification message (N) is added. Mobile radio-operated, electronic access system for processing at least one user-specific and application-specific access authorization for at least one application (A), with a multiplicity of mobile radio devices ( 10 ) and at least one central server (S), in each case a mobile device ( 10 ) is assigned to a user and in each case a mobile device ( 10 ) is identifiable via a machine-readable device identifier (G), wherein at the mobile radio device ( 10 ) an electronic identification code (I), which identifies the mobile device user, is generated, read in and sent in an identification message (N) together with the machine-readable device identifier (G) to the server (S) from the received identification message (N) at least one Extract application-specific access authorization. Mobile radio operated electronic access system according to claim 7, wherein the mobile radio device ( 10 ) and the server (S) and, where appropriate, other instances via a mobile network in data exchange. A central server (S) for use in a mobile radio operated electronic access system according to claim 7, comprising: - a receiving module (S1) intended to receive the identification message (N) - an extractor adapted to receive from the received identification message (S) N) to extract the identification code (I) - a linker (S3) intended to electronically link the identification code (I) to the device identifier (G) to control the application (A). Central server (S) according to claim 9, which stores the result of the linker (S3) in a database (DB) or makes it available to other entities. Method for processing at least one user-specific and application-specific access authorization for at least one application (A) operating on a plurality of mobile radio devices ( 10 ) and on at least one central server (S) is executed, in each case a mobile device ( 10 ) is assigned to a user and in each case a mobile device ( 10 ) is identifiable via a machine-readable device identifier (G), comprising the following steps: - Generating a machine-readable identification code (I), which identifies the user - Importing the generated identification code (I) into the mobile radio device ( 10 ) - sending an identification message (N) comprising the read-in identification code (I) and the device identifier (G) from the mobile radio device ( 10 ) to the server (S) - Server-side receiving the identification message (N) - Server-side extraction of the identification code (I) from the identification message (N) to extract from the identification code (I) at least one application-specific access authorization for controlling the application (A) , and electronically linking the extracted identification code (I) to the device identifier (G). Method for a mobile device ( 10 ) for processing at least one user-specific and application-specific access authorization for at least one application (A), wherein the mobile radio device ( 10 ) is in communication with at least one central server (S), in each case a mobile device ( 10 ) is assigned to a user and in each case a mobile device ( 10 ) is identifiable via a machine-readable device identifier (G), comprising the following steps: - Generating a machine-readable identification code (I), which identifies the user - Importing the generated identification code (I) into the mobile radio device ( 10 ) - sending an identification message (N) comprising the read-in identification code (I) and the device identifier (G) from the mobile radio device ( 10 ) to the server (S). Method for operating a server (S) for processing at least one user-specific and application-specific access authorization for at least one application (A), wherein the server (S) is equipped with a multiplicity of mobile radio devices ( 10 ) is in data exchange, in each case a mobile device ( 10 ) is assigned to a user and in each case a mobile device ( 10 ) is identifiable via a machine-readable device identifier (G), with the following steps: receiving an identification message (N) from a mobile radio device ( 10 ), comprising a machine-readable identification code (I) and the device identifier (G) of the mobile radio device ( 10 ), wherein the identification code (I) identifies the mobile radio user - extraction of the identification code (I) from the identification message (N) to extract from the identification code (I) at least one application - specific access authorization to control the application (A), and electronic linking of the extracted identification codes (I) with the device identifier (G). A computer program product having a computer program stored on a machine-readable carrier for carrying out all or individual steps of the method according to the above method claim 11 when the computer program is executed on a computer.

Images